Researchers at Darktrace have identified a new malware strain dubbed ZionSiphon designed to target Israeli water treatment and desalination systems, with code specifically built to interact with industrial control system (ICS) and operational technology (OT) environments.
The malware was first detected on June 29, 2025, and includes functionality to identify processes associated with reverse osmosis, chlorine handling, and plant control systems.
Researchers said the malware appears designed to activate only when two conditions are met: a geographic trigger and an environmental trigger tied to desalination or water treatment systems.
Once executed, ZionSiphon scans devices on the local network, attempts communications using Modbus, DNP3, and S7comm industrial protocols, and alters configuration settings related to chlorine levels and pressure controls. Analysis found the Modbus-based attack functionality is the most developed, while the DNP3 and S7comm components appear incomplete, suggesting the malware may still be under development.
The malware appears configured to focus on Israeli IP ranges and includes politically themed embedded strings, according to reporting.
Josh Marpet, Senior Product Security Consultant, Finite State had this to say:
“The rise of Hacktivist actions is increasing. From nation-state (stuxnet), to this apparent politically motivated terroristic action, it is becoming easier and easier to build, configure, and deploy malware against Operational Technology (OT) targets. These targets include water, power, sewer, and other utilities and critical infrastructures. Without an OT specific security program and/or partner, it’s almost impossible for the utility companies to protect against these types of attacks.
“OT devices are fundamentally different from Information Technology (IT) devices. Compare a laptop to a thermostat, or a factory full of valves and switches. Without specialized knowledge and experience, the normal IT security firms are simply not enough. After all, laptops rarely explode. Factories full of chemicals…can.”
Damon Small, Board of Directors, Xcape, Inc. adds this comment:
“ZionSiphon is an intent-driven Operational Technology (OT) sabotage malware targeting the logic of water desalination and treatment plants. The immediate business risk is physical process disruption, specifically manipulating hydraulic pressure and chemical dosing, with the possibility of infrastructure damage or public health incidents.
“Technically, it is highly sector-specific, with dual-trigger checks for Israeli IP ranges and process names like “ChlorineCtrl.” Though a current flaw prevents payload activation, functional Modbus sabotage routines and DNP3/S7comm stubs indicate active development. Despite post-Stuxnet awareness, critical infrastructure remains exposed to 45-year-old unauthenticated protocols. Mitigation requires urgent OT/IT network segmentation, deep packet inspection for unauthorized register writes, and verified hard-coded failsafes to prevent dangerous chemical or pressure levels, irrespective of compromised software.
“Relying on unauthenticated Modbus to protect the water supply is like locking your front door with a Post-it note that says, “Please don’t come in.”
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs follows up with this comment:
“AI has compressed the timeline for developing ICS malware from months to days, and ZionSiphon demonstrates exactly where that trajectory leads. The malware’s dual trigger design, requiring both an Israeli IP range and the presence of desalination or water treatment processes before activating, reflects deliberate targeting of infrastructure that is both nationally critical and geopolitically charged.
“Israel depends on desalination for a significant share of its drinking water, and ZionSiphon’s target list names specific facilities including Mekorot, Sorek, Hadera, and Palmachim. Darktrace’s analysis found the Modbus sabotage path is fully implemented while DNP3 and S7comm remain incomplete. That development gap will close faster than the industry expects when the structured technical knowledge required to build this tooling is exactly what AI models accelerate.
“The protocols ZionSiphon targets date to the late 1970s. Modbus has no authentication and no encryption. DNP3 and S7comm carry the same fundamental weakness. Any device on the network segment can issue commands that a controller will execute without question. As geopolitical tensions continue to drive threat actors toward critical infrastructure, these protocols represent an expanding attack surface defended by decades old assumptions.
“When malware can identify processes associated with reverse osmosis, chlorine handling, and plant control systems, and then communicate directly with the controllers managing them, the only meaningful barrier is the network architecture surrounding those protocols.
“Every ICS protocol should sit behind multiple layers of network segmentation, with strict access controls governing what can reach those segments. If Modbus traffic is reachable from an IT network or an internet facing system, the architecture has already failed before the malware arrives. The industry also needs sustained investment in zero trust solutions layered on top of these legacy protocols. Modbus and DNP3 are not going away. The installed base is too large, and the replacement cost is too high. The security model has to evolve around them.”
This illustrates the fact that critical systems like these are prime targets for threat actors. Which means that everything possible must be done to protect those systems from getting pwned. Otherwise the consequences would potentially be massive.
Like this:
Like Loading...
Related
This entry was posted on April 21, 2026 at 3:39 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
ZionSiphon malware targets Israeli water and desalination systems
Researchers at Darktrace have identified a new malware strain dubbed ZionSiphon designed to target Israeli water treatment and desalination systems, with code specifically built to interact with industrial control system (ICS) and operational technology (OT) environments.
The malware was first detected on June 29, 2025, and includes functionality to identify processes associated with reverse osmosis, chlorine handling, and plant control systems.
Researchers said the malware appears designed to activate only when two conditions are met: a geographic trigger and an environmental trigger tied to desalination or water treatment systems.
Once executed, ZionSiphon scans devices on the local network, attempts communications using Modbus, DNP3, and S7comm industrial protocols, and alters configuration settings related to chlorine levels and pressure controls. Analysis found the Modbus-based attack functionality is the most developed, while the DNP3 and S7comm components appear incomplete, suggesting the malware may still be under development.
The malware appears configured to focus on Israeli IP ranges and includes politically themed embedded strings, according to reporting.
Josh Marpet, Senior Product Security Consultant, Finite State had this to say:
“The rise of Hacktivist actions is increasing. From nation-state (stuxnet), to this apparent politically motivated terroristic action, it is becoming easier and easier to build, configure, and deploy malware against Operational Technology (OT) targets. These targets include water, power, sewer, and other utilities and critical infrastructures. Without an OT specific security program and/or partner, it’s almost impossible for the utility companies to protect against these types of attacks.
“OT devices are fundamentally different from Information Technology (IT) devices. Compare a laptop to a thermostat, or a factory full of valves and switches. Without specialized knowledge and experience, the normal IT security firms are simply not enough. After all, laptops rarely explode. Factories full of chemicals…can.”
Damon Small, Board of Directors, Xcape, Inc. adds this comment:
“ZionSiphon is an intent-driven Operational Technology (OT) sabotage malware targeting the logic of water desalination and treatment plants. The immediate business risk is physical process disruption, specifically manipulating hydraulic pressure and chemical dosing, with the possibility of infrastructure damage or public health incidents.
“Technically, it is highly sector-specific, with dual-trigger checks for Israeli IP ranges and process names like “ChlorineCtrl.” Though a current flaw prevents payload activation, functional Modbus sabotage routines and DNP3/S7comm stubs indicate active development. Despite post-Stuxnet awareness, critical infrastructure remains exposed to 45-year-old unauthenticated protocols. Mitigation requires urgent OT/IT network segmentation, deep packet inspection for unauthorized register writes, and verified hard-coded failsafes to prevent dangerous chemical or pressure levels, irrespective of compromised software.
“Relying on unauthenticated Modbus to protect the water supply is like locking your front door with a Post-it note that says, “Please don’t come in.”
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs follows up with this comment:
“AI has compressed the timeline for developing ICS malware from months to days, and ZionSiphon demonstrates exactly where that trajectory leads. The malware’s dual trigger design, requiring both an Israeli IP range and the presence of desalination or water treatment processes before activating, reflects deliberate targeting of infrastructure that is both nationally critical and geopolitically charged.
“Israel depends on desalination for a significant share of its drinking water, and ZionSiphon’s target list names specific facilities including Mekorot, Sorek, Hadera, and Palmachim. Darktrace’s analysis found the Modbus sabotage path is fully implemented while DNP3 and S7comm remain incomplete. That development gap will close faster than the industry expects when the structured technical knowledge required to build this tooling is exactly what AI models accelerate.
“The protocols ZionSiphon targets date to the late 1970s. Modbus has no authentication and no encryption. DNP3 and S7comm carry the same fundamental weakness. Any device on the network segment can issue commands that a controller will execute without question. As geopolitical tensions continue to drive threat actors toward critical infrastructure, these protocols represent an expanding attack surface defended by decades old assumptions.
“When malware can identify processes associated with reverse osmosis, chlorine handling, and plant control systems, and then communicate directly with the controllers managing them, the only meaningful barrier is the network architecture surrounding those protocols.
“Every ICS protocol should sit behind multiple layers of network segmentation, with strict access controls governing what can reach those segments. If Modbus traffic is reachable from an IT network or an internet facing system, the architecture has already failed before the malware arrives. The industry also needs sustained investment in zero trust solutions layered on top of these legacy protocols. Modbus and DNP3 are not going away. The installed base is too large, and the replacement cost is too high. The security model has to evolve around them.”
This illustrates the fact that critical systems like these are prime targets for threat actors. Which means that everything possible must be done to protect those systems from getting pwned. Otherwise the consequences would potentially be massive.
Share this:
Like this:
Related
This entry was posted on April 21, 2026 at 3:39 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.